MS issued advisory, current exploit potential

[Roger Abell [MVP]]

Today Microsoft issued the advisory

Vulnerability in Vector Markup Language Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/925568.mspx

The exploit is said to be both released in code form and to be currently,
actively exploited to some extent. You can find bulletin from most groups
and vendors by now.

See the advisory for action you can take.

Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
who you see in these newsgroups) for an AD GPO based approach
http://msinfluentials.com/blogs/jes...Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
i.e. http://tinyurl.com/mtcbd
..
Roger

 

[David H. Lipman]

From: "Roger Abell [MVP]" <[email protected]>

| Today Microsoft issued the advisory
|
| Vulnerability in Vector Markup Language Could Allow Remote Code Execution
| http://www.microsoft.com/technet/security/advisory/925568.mspx
|
| The exploit is said to be both released in code form and to be currently,
| actively exploited to some extent. You can find bulletin from most groups
| and vendors by now.
|
| See the advisory for action you can take.
|
| Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
| who you see in these newsgroups) for an AD GPO based approach
|
http://msinfluentials.com/blogs/jes...Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
| i.e. http://tinyurl.com/mtcbd
| .
| Roger
|

Too many so called "Zero Day Exploits" in the last fortnight.

MS Word
http://www.us-cert.gov/cas/alerts/SA06-250A.html

MS Publisher
http://www.us-cert.gov/cas/alerts/SA06-255A.html

ActiveX DirectAnimation
http://www.us-cert.gov/cas/alerts/SA06-258A.html

And now VML in HTML vulnerability.
http://www.us-cert.gov/cas/alerts/SA06-262A.html


MCSE - Microsoft Can't Secure Enough

 

[imhotep]

From: "Roger Abell [MVP]" <[email protected]>

| Today Microsoft issued the advisory
|
| Vulnerability in Vector Markup Language Could Allow Remote Code
| Execution http://www.microsoft.com/technet/security/advisory/925568.mspx
|
| The exploit is said to be both released in code form and to be
| currently,
| actively exploited to some extent. You can find bulletin from most
| groups and vendors by now.
|
| See the advisory for action you can take.
|
| Also, see the info Jesper Johansson's blogged (with help of Alun Jones,
| who you see in these newsgroups) for an AD GPO based approach
|
http://msinfluentials.com/blogs/jes...Block-VML-Zero_2D00_Day-Vuln-on-a-domain.aspx
| i.e. http://tinyurl.com/mtcbd
| .
| Roger
|

Too many so called "Zero Day Exploits" in the last fortnight.

MS Word
http://www.us-cert.gov/cas/alerts/SA06-250A.html

MS Publisher
http://www.us-cert.gov/cas/alerts/SA06-255A.html

ActiveX DirectAnimation
http://www.us-cert.gov/cas/alerts/SA06-258A.html

And now VML in HTML vulnerability.
http://www.us-cert.gov/cas/alerts/SA06-262A.html


MCSE - Microsoft Can't Secure Enough

Thanks for the information!!!!

Imhotep

 

[Roger Abell [MVP]]

Thanks for the information!!!!

Just see
http://www.microsoft.com/technet/security/advisory
for RSS feed and IM alert info, and the 5 advisories
issued this September

Roger

 

[MowGreen [MVP]]

And, from eWeek:

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
http://www.eweek.com/article2/0,1895,2017626,00.asp

The newest zero-day flaw in the Microsoft Windows implementation of the Vector
Markup Language is being used to flood infected machines with a massive collection of
bots, Trojan downloaders, spyware and rootkits.

Less than 24 hours after researchers at Sunbelt Software discovered an active malware
attack [http://www.eweek.com/article2/0,1895,2017407,00.asp] against fully patched
versions of Windows, virus hunters say the Web-based exploits are serving up
botnet-building Trojans and installations of ad-serving spyware.

"This is a massive malware run," says Roger Thompson, chief technical officer at
Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed
the drive-by attacks are hosing infected machines with browser tool bars and spyware
programs with stealth rootkit capabilities.

The laundry list of malware programs seeded on Russian porn sites also includes a
dangerous keystroke logger capable of stealing data from computers and a banker Trojan
that specifically hijacks log-in information from financial Web sites.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

 

[David H. Lipman]

From: "MowGreen [MVP]" <[email protected]>

| And, from eWeek:
|
| Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
| http://www.eweek.com/article2/0,1895,2017626,00.asp
|

The newest zero-day flaw in the Microsoft Windows implementation of the Vector
Markup Language is being used to flood infected machines with a massive collection of
bots, Trojan downloaders, spyware and rootkits.

Less than 24 hours after researchers at Sunbelt Software discovered an active malware
attack [http://www.eweek.com/article2/0,1895,2017407,00.asp] against fully patched
versions of Windows, virus hunters say the Web-based exploits are serving up
botnet-building Trojans and installations of ad-serving spyware.

"This is a massive malware run," says Roger Thompson, chief technical officer at
Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed
the drive-by attacks are hosing infected machines with browser tool bars and spyware
programs with stealth rootkit capabilities.

The laundry list of malware programs seeded on Russian porn sites also includes a
dangerous keystroke logger capable of stealing data from computers and a banker Trojan
that specifically hijacks log-in information from financial Web sites.

|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Thanx MowGreen !!

 

[imhotep]

Just see
http://www.microsoft.com/technet/security/advisory
for RSS feed and IM alert info, and the 5 advisories
issued this September

Roger

Thanks...

 

[Guest]

From secguru.com:

-------

1. Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common
Files\Microsoft Shared\VGX\vgx.dll " (without the quotation marks), and then
click OK.

2. A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once
Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by
following the above steps. Replace the text in Step 1 with “regsvr32
"%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dllâ€

 

[MowGreen [MVP]]

Personally I'd rather remove the defective file as the chances of it ever
Or, one could use an up to date alternative browser.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

 

[karl levinson, mvp]

And, from eWeek:

Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole
http://www.eweek.com/article2/0,1895,2017626,00.asp

We can see from Trend Micro's numbers for the VML exploit that there is no
"flooding" or "massive malware run" going on. Or rather, the "flooding"
they are talking about is that one web site was observed loading 49
different adware tools onto one infected system, not that massive numbers of
systems were being infected. For example:

http://blogs.securiteam.com/index.php/archives/623

 

[Roger Abell [MVP]]

We can see from Trend Micro's numbers for the VML exploit that there is no
"flooding" or "massive malware run" going on. Or rather, the "flooding"
they are talking about is that one web site was observed loading 49
different adware tools onto one infected system, not that massive numbers
of systems were being infected. For example:

http://blogs.securiteam.com/index.php/archives/623

To use the words of one notorious poster, it would appear the
news report came from "spin masters" ;-(

In all probability we will be seeing much more use of the VML
vulnerability in coming weeks, in metasploit now, etc.

Now, we sit an watch as few if many acknowledge the great job
MS did on the turn-around for response to VML vulnerability
and even fewer taking note of fact that machines running the Vista
or the IE 7 rcs just rode out this as a non-event for them.

Roger

 

[MowGreen]

I'm sorry for posting that trite media hype. " Massive malware run " my
butt. At least those who frequent seedy pRon sites were aware of the issue.

As Roger and Karl have pointed out there was/is potential for this
vulnerability to be exploited still, even though MS did a fine job in
getting the update out in a timely manner.

The only thing massive about the vuln was the shrill hype coming from
the so-called "Tech media". The "regular" media just follow along since
the sensational always is good for ratings and sells papers.

Mowa culpa


MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

 

[David H. Lipman]

From: "MowGreen" <[email protected]>

| I'm sorry for posting that trite media hype. " Massive malware run " my
| butt. At least those who frequent seedy pRon sites were aware of the issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Sorry guys, I just got a report of a US Gov't. computer get infected via this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the infector site.

 

[karl levinson, mvp]

Sorry guys, I just got a report of a US Gov't. computer get infected via
this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the
infector site.

Yes, absolutely there is SOME real risk.

But on the other hand, I bet that agency was aware of and accepted that
risk.

I'm guessing that computer was probably not running antivirus with the
latest definitions.

And the vulnerability used to compromise the web site is probably not
anything new.

 

[Roger Abell [MVP]]

From: "MowGreen" <[email protected]>

| I'm sorry for posting that trite media hype. " Massive malware run " my
| butt. At least those who frequent seedy pRon sites were aware of the
issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Sorry guys, I just got a report of a US Gov't. computer get infected via
this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the
infector site.

No need to be sorry about anything Dave.
The dust will probably be settling out for some time, especially if the
reports about the cPanel exploited, perpetrator sites is accurate.
MS has over the past couple years done an amazing job at driving
up patch coverage and driving down time to patch, but millions are
likely not in the loop in any timely way.

Roger

 

[David H. Lipman]

From: "Roger Abell [MVP]" <[email protected]>


| No need to be sorry about anything Dave.
| The dust will probably be settling out for some time, especially if the
| reports about the cPanel exploited, perpetrator sites is accurate.
| MS has over the past couple years done an amazing job at driving
| up patch coverage and driving down time to patch, but millions are
| likely not in the loop in any timely way.
|
| Roger
|

Today I got an update. This was a TARGETED attack. A US Gov't. site apperas to have been
hacked wit the VML in HTML exploit installed with installable malware. Users were sent
emails to go to said site. Being a Gov't. installation receiving email that purported to be
from the Gov't. entity indicating they should vist the compramised Gov't. web site. I was
told 70 Gov't. computers were thusly compramised !

Additionally, the same (nameless) Gov't. installation has been receiving targeted PowerPoint
Exploits in PowerPoint slides. Symantec has been calling them "Trojan.Dropper" and
"Trojan.PPDropper".

 

[David H. Lipman]

From: "karl levinson, mvp" <[email protected]>


|
| Yes, absolutely there is SOME real risk.
|
| But on the other hand, I bet that agency was aware of and accepted that
| risk.
|
| I'm guessing that computer was probably not running antivirus with the
| latest definitions.
|
| And the vulnerability used to compromise the web site is probably not
| anything new.
|

No. There is ZERO Acceptable Risk.
Productivity takes a backseat to security.

The computers were up-to-date. See my other reply.

 

[karl levinson, mvp]

| Yes, absolutely there is SOME real risk.
|
| But on the other hand, I bet that agency was aware of and accepted that
| risk.
|
| I'm guessing that computer was probably not running antivirus with the
| latest definitions.
|
| And the vulnerability used to compromise the web site is probably not
| anything new.
|

No. There is ZERO Acceptable Risk.
Productivity takes a backseat to security.

Wouldn't you have to be inside the agency to know what risk they had and had
not accepted?

Am I misunderstanding? There aren't too many places where productivity
really takes a back seat to security in actual practice. I doubt there is
anywhere on the face of the planet where management does everything that
computer security personnel advise. I'm not sure it's possible to get to
zero acceptable risk, there's always risk, and that risk needs to be
accepted. And some countermeasures increase the risk of other security
issues, like loss of availability at the expense of confidentiality. There
are other countermeasures, such as manually re-configuring millions of
computers, that are possible in theory, but prohibitively expensive to the
point of jeopardizing the mission. The end goal is almost never security
for security's sake, but security that is appropriate to the success of the
mission. There are times when security measures, such as removing a system
that is vital to a mission or that whose absence could jeapordize human
life, could conflict with the success of the mission. There are times when
taking a security measure reveals or validates information that should not
be revealed or validated.

The computers were up-to-date. See my other reply.

But there were workarounds from Microsoft that an organization that serious
about security could choose to implement.

 

[Dan W.]

I'm sorry for posting that trite media hype. " Massive malware run " my
butt. At least those who frequent seedy pRon sites were aware of the issue.

As Roger and Karl have pointed out there was/is potential for this
vulnerability to be exploited still, even though MS did a fine job in
getting the update out in a timely manner.

The only thing massive about the vuln was the shrill hype coming from
the so-called "Tech media". The "regular" media just follow along since
the sensational always is good for ratings and sells papers.

Mowa culpa


MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

To use the words of one notorious poster, it would appear the
news report came from "spin masters" ;-(

In all probability we will be seeing much more use of the VML
vulnerability in coming weeks, in metasploit now, etc.

Now, we sit an watch as few if many acknowledge the great job
MS did on the turn-around for response to VML vulnerability
and even fewer taking note of fact that machines running the Vista
or the IE 7 rcs just rode out this as a non-event for them.

Roger

Exactly, I concur and no need for apology, MowGreen. It is so easy for
any of us to get caught up in the media hype. I certainly am glad
Microsoft listened to us on the dangers of this particular vulnerability
and released a patch so quickly. This particular vulnerability had the
potential for chaos but Microsoft responded to user's needs for a patch
and delivered.

 

[Dan W.]

From: "MowGreen" <[email protected]>

| I'm sorry for posting that trite media hype. " Massive malware run " my
| butt. At least those who frequent seedy pRon sites were aware of the issue.
|
| As Roger and Karl have pointed out there was/is potential for this
| vulnerability to be exploited still, even though MS did a fine job in
| getting the update out in a timely manner.
|
| The only thing massive about the vuln was the shrill hype coming from
| the so-called "Tech media". The "regular" media just follow along since
| the sensational always is good for ratings and sells papers.
|
| Mowa culpa
|
| MowGreen [MVP 2003-2006]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============
|


Sorry guys, I just got a report of a US Gov't. computer get infected via this Exploit while
access a US Gov't. web site.

I am not at liberty, in public, to disclose the infected site and the infector site.

F___ing s__t, those crazies who put out cracks (hacks) to screw with
people's system(s). Some day, I hope the government can work with
Microsoft and select security professionals to start cleaning up the web
for all of the scum floating around. I even got a virus hit when I
clicked on a post in the 98 general newsgroup that someone was asking
about whether it was malicious or not. Fortunately, I called up the
Microsoft security hotline last night and walked through with the
technician about fixing my computer. Actually, I knew all the right
steps but it was certainly nice to have someone on the telephone in case
the whole system wants to go Kabloiee! I had to do a full anti-virus
scan with AVG which fortunately picked up this baddie right away. The
baddie is currently quarantined in AVG vault and I will pass it to you
David for analysis if you are interested to see vector exploit. It
talked about affecting LSASS in Windows system according to notes about
it from AVG. I also had to unistall and reinstall Outlook Express and
then download the latest security update for Outlook Express. For added
peace of mind --- I installed over Mozilla Thunderbird and Mozilla
Firefox. I use Mozilla Thunderbird to post in the Microsoft newsgroups.
I am just so pleased that my defense network picked it up right away
and I extremely pleased to report that a multi-layered defense strategy
as outlined in Microsoft technical articles is awesome in protecting
your system(s) and network(s). <SMILE --- Bring It On to the B______DS
who f__k with my system(s)>

I apologize for the cussing and have concealed most of the words but
cusses only explain how I really feel and please except my apologies in
advance if this post offends anyone. Actually, I rarely cuss except
when I get really emotional as in this case. <smile>